I think technically the server only needs to send $p$ to the client, since $m$ can be derived (although as stated, the protocol could easily be extended to three or more collaborating parties)
–
Stephen TousetApr 25 '13 at 20:13

@StephenTouset, the original poster is correct that you need to send $m$ to the client. $p$ is a number in the range $0\ldots n-1$, so it only reveals the value of $m \bmod n$; it does not reveal the full value of $m$. Thus, you need to send the full $m$ as well. In practice, it is enough to send just $m$ (there is no need to send $p$ too, since the client can re-derive it), but that's probably not a big deal in practice.
–
D.W.Apr 27 '13 at 19:41

1 Answer
1

Nitpick: I think you mean that your goal is to generate a random number in the range $0\ldots n-1$ (not $0\ldots n$). Also, to avoid bias, you need to generate $m$ as a random number in the range $0 \ldots (\lfloor 2^{256}/n \rfloor \cdot n)-1$ (not $0\ldots \lfloor 2^{256}/n \rfloor \cdot n$).

This problem is known as secure coin flipping, and it has been studied in great depth before. For solutions and analysis, look at the following questions on this site: